Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^" & malicious_command ^". The CodeRider-Kilo parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interpreter ignores the escaped quotes, parsing and executing the subsequent malicious command directly. This allows attackers to achieve arbitrary Remote Code Execution (RCE) after bypassing what appears to be a legitimate Git whitelist check.
AnalysisAI
CodeRider-Kilo's command auto-approval module fails to correctly parse Windows CMD escape sequences (^), allowing attackers to bypass its Git command whitelist and achieve arbitrary remote code execution. The vulnerability exploits a mismatch between the Unix-based shell-quote parser used for validation and the actual Windows CMD interpreter behavior, enabling attackers to inject malicious commands through crafted payloads such as git log ^" & malicious_command ^". No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
CodeRider-Kilo implements a command auto-approval security module that uses the Unix-based shell-quote library to parse and whitelist commands before execution on Windows platforms. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command, aka OS Command Injection). The vulnerability stems from a fundamental incompatibility: the shell-quote parser correctly interprets the caret (^) character as an escape sequence in Unix contexts, but Windows CMD.exe has different escape semantics. When the parser encounters git log ^" in a validation context, it treats the escaped quote as a protected character and fails to recognize the subsequent & operator as a command connector, thus approving the entire command. However, Windows CMD.exe ignores the escaped quotes and correctly parses the & as a logical AND operator, executing the injected malicious command. This parser-execution environment mismatch allows complete bypass of whitelist controls.
RemediationAI
Immediate action required: apply vendor-supplied patch when available from the CodeRider-Kilo development team, noting that no specific patched version number is provided in current intelligence. The fundamental fix is to replace the Unix-based shell-quote parser with a Windows CMD-aware command parser that correctly handles Windows-specific escape sequences (^, ", ^&, etc.) and re-validate all whitelist logic against the actual execution interpreter semantics. Until a vendor patch is released, implement compensatory controls: restrict execution of the auto-approval module to trusted internal networks only, disable auto-approval functionality if possible and require manual review for all commands, and audit all executed commands through CodeRider-Kilo against an external security baseline. Consult the GitHub issue at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/3 for vendor guidance and timeline.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16670